thunderbird-78.12.0-3.el8.ML.1
エラータID: AXSA:2021-2308:14
リリース日:
2021/08/10 Tuesday - 08:59
題名:
thunderbird-78.12.0-3.el8.ML.1
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Thunderbird には、IMAP 接続に STARTTLS を使用するように設定されていて、攻撃
者が STARTTLS のハンドシェイクが完了する前に IMAP サーバーからのレスポンスを挿
入すると、Thunderbird はその挿入されたデータを無視しないため、不正確な情報を表
示してしまう脆弱性があります。(CVE-2021-29969)
- Firefox や Thunderbird には、悪意のあるページを表示することで、解放後使用や、
メモリー内データの破壊、クラッシュを引き起こす恐れがある脆弱性があります。
(CVE-2021-29970)
- Firefox と Thunderbird には、メモリー内データが破壊される問題があり、この問
題を悪用して任意のコードが実行される脆弱性があります。(CVE-2021-29976)
- Google Chrome の ANGLE には境界外書き込みの問題があり、リモート攻撃者が巧妙
に細工された HTML ページを介して、境界外のメモリーにアクセスされる脆弱性があ
ります。(CVE-2021-30547)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-29969
If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability affects Thunderbird < 78.12.
If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability affects Thunderbird < 78.12.
CVE-2021-29970
A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.
A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.
CVE-2021-29976
Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.
Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.
CVE-2021-30547
Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
追加情報:
N/A
ダウンロード:
SRPMS
- thunderbird-78.12.0-3.el8.ML.1.src.rpm
MD5: 83e6553ca7a28787b3d6b32010ef5928
SHA-256: be710aad24b5dc9313cbb3beb6b9fd162349d71af62b278dbe573bd27886494e
Size: 689.69 MB
Asianux Server 8 for x86_64
- thunderbird-78.12.0-3.el8.ML.1.x86_64.rpm
MD5: cc375c44b653bc13f060aee1daa5d080
SHA-256: 0063d78753e9b2d7a9aba34f06d26bb070698ef30cf52e7170e37ccdea10334a
Size: 93.17 MB
English